Opposing View: Little Snitch is Awesome if Used Well

During Tuesday's Mac Geek Gab #208, Dave Hamilton and John Braun got into a discussion of Little Snitch from Objective Development. Mr. Hamilton pointed out that the app can be confusing and restrictive in its behavior for newbies and needs to be fully understood before it's toyed with. However, I'm siding with John Braun and suggesting that it's an essential app, one that could benefit many users at different levels.

We grow with our Macs over time. New technologies press us further and further, and whether we like it or not, learning, growth, and adaptability are key to an enlightened, prosperous Mac life. That means that for every Mac user, whether a switcher, a newbie to computing, or someone who wants to become more accomplished, there are certain rituals that one must go through.

Gotta know WHEN to blow that whistle

One of those rituals is being more aware of what the Mac is doing. We have firewalls and (hopefully) secure browsers to make sure that what comes into our Macs is safe. But, in every day use, we have no way of knowing what's leaving our Macs, outbound information that could compromise our security and privacy.

Little Snitch from Objective Development provides that function. It's been developed by white hat good guys in Austria. The app installs a kernel extension (kext) that allows the app to monitor and block, if desired, outbound connections initiated by an application.

Why do those of us who use Little Snitch, like our John Braun and me, love it? It's because we develop a mind map of what's going on with our Macs. Over time, we get to know our app environment, what each app and process is doing and why.

In most cases, an app spills the beans to the mother ship about the version and, sometimes with opt-in, anonymous details of the Mac's configuration to aid the developer. The Mac's Software Update, for example, tells Apple what version of iLife you have so it knows whether to offer you an update. In time, we get to know our environment and that prepares us for something unexpected or suspicious. Getting to know the app territory and customary behavior is a Good Thing.

Mr. Hamilton mentioned that a user casually installed Little Snitch to play with it, then forgot about it, and later had a problem with the proper function of an app. He was probably alarmed and frustrated, and that was viewed as a problem, a failure of Little Snitch. I claim that it's akin to losing your car keys, then blaming it on the car manufacturer.

The trick to Little Snitch is to come to know and love its preference page shown below.

Little Snitch Configuration

Seeing how Little Snitch is going to behave before hand is vital to living with this app. Also, after time, one learns how to go ahead and let a trusted app have outbound access forever. That's encoded into the preferences, and can make life with Little Snitch easier: many fewer popup alerts.

Mr. Hamilton asked Mr. Braun how many times it's formally saved him. The answer was never, but that's not a condemnation of the app. It's like asking a pilot how many times his "gear still up" warning light saved him from a bad landing. Even if the answer is "zero," the pilot wouldn't opt to have that alert disabled.

Living with a Mac is all about norms, experience, and oddities. Flying blind doesn't help that process. Little Snitch is a gentle, friendly app if you take the time, ten minutes, to learn how it works and play with its prefs. Some day, a nasty animal will leak in through Safari, and an unknown app or process will try to divulge some personal information to a bad guy. With years of experience seeing how Little Snitch works with you, you'll catch it and block it. Your actions will seem like second nature to you instead of a reaction to an alarming, mysterious event.

Consider it part of your growth, learning to pilot the Mac. So there, Mr. Hamilton. What say you now?

I have no idea what Mr. Hamilton will say, but I say that Little Snitch takes a heck of a lot more than ten minutes of my time if you consider that by default it announces everything, causing you to have to constantly dismiss its dialog. I found it to be infuriating, annoying and counterproductive. I’m sure I’m not alone in simply disabling it after about fifteen minutes. I’m not a nOOb either, I have Apple certification and many year of experience. I just found it to be an irksome, unnecessary, in-my-face app, ? la Windows Vista.

If the day comes that I have critical information I need to ensure stays private, I will reconsider Little Snitch. Until then, I’ll value quiet, uninterrupted use of my Mac.

@rpaege, agreed with you 100%. I have been testing NetBarrier which gets in the way also.

That’s what I like about “Who’s There”. It doesn’t interrupt me. I can quickly see the in and out activity right on my desktop and the red stands out enough to see if someone is connected or not. If I think it looks suspicious I then can close that port. I just wish it gave a bit more information.

What’s missing from Little Snitch is detail about exactly what app is triggering the alert. If I can’t tell that, I don’t know whether blocking it is good or bad. If there’s an easy way to tell, I didn’t notice it.

Although I’ll admit it can get annoying to have to deal with the dialog every time it detects a suspicious outgoing connection, you can instruct it to always allow a certain type of connection. After a while, it will only report on new apps that are doing something unusual.

Thanks for this article - it saves me the trouble of having to write a “sharply worded” reply to Mr. Hamilton I find Little Snitch very easy to use and I appreciate being able to easily monitor which apps are using my internet connection on a real-time basis via the menu bar.

I found myself nodding in agreement with everything Dave said during this segment of the podcast. I tried the eval of Little Snitch for a few weeks, but have opted to use NetBarrier X5 instead. I found the details provided by NetBarrier a lot clearer and more descriptive, and a lot less obtrusive—the output from Little Snitch was much more like what I’d expect from a PC firewall product (and believe me, I’ve used a lot of those!)

I don’t mean to sound disrespectful to Little Snitch—it really is a fine product. I just personally found NetBarrier to be more logical during setup (after I first got used to the UI) and more descriptive about what was going on when in action, with more logical choices about how to handle the issues if you had to get involved. And most of the time, you don’t have to get involved—it just does what you want it to do! The ease that you can define locations based on network characteristics and then set the firewall characteristics depending on where you’re at is awesome. The data that it meters and collects is useful, not just plentiful. The multiple views of the logs are well thought out and really useful! The integrated Trojan protection is icing.

The difference between these products is that Little Snitch is oriented to providing a UI to the ipfw. NetBarrier is oriented to being a UI to help you protect your computer. Put another way that many here should easily grok, the former is more like a PC program, the latter, a Mac program.

JMHO…

Terrin10:07 AM EDT, Jun. 27th, 2009Guest

I don’t get the comparison. First, Little Snitch is designed to perform one task: monitor outgoing traffic. Netbarrier X5 is designed to be more of swiss army knife and monitors both outgoing and incoming traffic amongst other things. In my view Netbarrier taxes the system far more then Little Snitch. This is because it is monitoring the far more common incoming traffic for viruses and such. People who don’t use a Firewall or care about monitoring for viruses have little need for Netbarrier’s product and may find that product confusing. I had it installed for a while and found it annoying because it was trying to do so much, and I only carried about out going traffic.

Second, after installing Little Snitch for the first time it is essentially in training mode. It questions every out going connection. A window pops up and you tell it what your preferences are. Most outgoing connections you are going to tell it to forever allow. If you don’t it will ask you every time that applications wants to make an outgoing call. For instance, if you open up Safari and want to get on the Internet. If you want to change these preferences where you previously decided you wanted your preferences to apply forever, you have to open the application and do some configuring. As someone else pointed out after a day or two, there should be very little involvement with the program. If you don’t make your web browser and mail settings apply forever, Little Snitch can get annoying quick.

Third, Little Snitch is not a GUI for Apple’s Firewall. Firewalls monitor incoming traffic, not out going. Netbarrier’s product is in part a fancy GUI for Apple’s internal built Firewall. There are free alternatives that accomplish the same objective.

Fourth, Little Snitch is a Mac product, designed for the Mac, and certainly doesn’t feel like something made for Windows. This of course is subjective.

I found myself nodding in agreement with everything Dave said during this segment of the podcast.? I tried the eval of Little Snitch for a few weeks, but have opted to use NetBarrier X5 instead.? I found the details provided by NetBarrier a lot clearer and more descriptive, and a lot less obtrusive?the output from Little Snitch was much more like what I?d expect from a PC firewall product (and believe me, I?ve used a lot of those!)?

I don?t mean to sound disrespectful to Little Snitch?it really is a fine product.? I just personally found NetBarrier to be more logical during setup (after I first got used to the UI) and more descriptive about what was going on when in action, with more logical choices about how to handle the issues if you had to get involved.? And most of the time, you don?t have to get involved?it just does what you want it to do!? The ease that you can define locations based on network characteristics and then set the firewall characteristics depending on where you?re at is awesome.? The data that it meters and collects is useful, not just plentiful.? The multiple views of the logs are well thought out and really useful!? The integrated Trojan protection is icing.

The difference between these products is that Little Snitch is oriented to providing a UI to the ipfw.? NetBarrier is oriented to being a UI to help you protect your computer.? Put another way that many here should easily grok, the former is more like a PC program, the latter, a Mac program.

Terrin10:19 AM EDT, Jun. 27th, 2009Guest

Yes, but that product doesn’t accomplish the same goal. Sure it shows you the connection, but while your deciding to allow it or not the information is already going out. Little Snitch tells you about the connection before allowing the info to escape. Again, after you set Little Snitch to allow all connections forever for your most common trusted applications like Safari and Mail, it is unobtrusive. If you let it tell you about every time your most popular applications are trying to make an outgoing call that will drive you insane and is totally not necessary.

Further, John is right about you getting to know your machine better with Little Snitch. It tells you when applications from companies like Adobe and Microsoft are trying to call home, which is a lot and for the most part unnecessary.

@rpaege, agreed with you 100%. I have been testing NetBarrier which gets in the way also.

That?s what I like about ?Who?s There?. It doesn?t interrupt me. I can quickly see the in and out activity right on my desktop and the red stands out enough to see if someone is connected or not. If I think it looks suspicious I then can close that port. I just wish it gave a bit more information.

Yes, but that product doesn?t accomplish the same goal. Sure it shows you the connection, but while your deciding to allow it or not the information is already going out.

pish-posh. The privacy settings in NB allow you to stop outbound personal info with much more granularity (actually based on content, not just network ports and host names) than LS, and you can set it to either block it, ask, or don’t bother asking if the user’s not an admin.

Firewalls monitor incoming traffic, not out going.

Not true. How do you think LS blocks traffic to hosts and ports? A good firewall does block outbound traffic, not just inbound. LS is only half a firewall, used to check outbound traffic, something normally turned off in OS X, and something that would normally take extensive shell hacking to get to work with ipfw.

Saying LS isn’t a firewall is like saying a motorcycle isn’t a vehicle because it’s only got two wheels…

The problem is, LS is only half a firewall. NB is a complete solution, with vastly superior privacy settings and location identification and logging and metering and… well, ‘nuf said.

I started messing about with computers in 1964. In the mid 1980s when personal computers looked like taking over from mainframes my boss said - “Just watch these PC guys get the end-user into a mess - and then blame the user for not understanding”.
The whole personal computing industry is built on shaky foundations - some parts of it much more shaky than others - and this debate about the pros and cons of how much the user needs protecting from themselves is a typical consequence of the PC pioneers’ legacy.
For my part I think Apple is the least shaky - and that’s why I have a Mac. But if someone told me Little Snitch is “an essential app” then I’d be very worried. If things are (potentially) that bad then I could have saved myself some money and bought an Acer.